A significant consideration in interaction between computing entities is trust—whether a foreign computing entity will behave in a reliable and predictable manner, or will be (or already is) subject to subversion. Trusted systems which contain a trusted device—often referred to as a Trusted Platform Module (TPM)—which is at least logically protected from subversion, have been developed by the companies forming the Trusted Computing Group (TCG). The TCG develops specifications in this area, for example the “TCG TPM Specification” Version 1.2, which is published on the TCG website. The implicitly trusted devices of a trusted system enable measurements of a trusted system and are then able to provide these in the form of integrity metrics to appropriate entities wishing to interact with the trusted system. The receiving entities are then able to determine from the consistency of the measured integrity metrics with known or expected values that the trusted system is operating as expected.
The TCG has also developed specifications to enhance the architecture of common computing entities by means of new functionalities, amongst others so-called ‘binary attestation’, to verify the integrity of a remote computing entity. In brief, binary attestation measures all the (binary) code executed on the computing entity by using certain metrics (for example a cryptographic hash value over the code binary). The result is stored in special registers in the trusted device before executing the code. This procedure is bootstrapped starting with a kind of pre-BIOS that is trusted by default and measures the boot-loader, storing the result. This procedure can be used to build a so-called ‘chain of trust’, which can then be extended to the operating system components and to applications.
Binary attestation has, however, been reported to suffer some shortcomings. Binary attestation typically reveals information about the configuration of a computing entity or application. This information can be misused to discriminate against certain configurations (for example, operating systems) and even the corresponding vendors, or may be exploited to mount attacks.
One proposal to overcome these shortcoming is to transform the binary attestation into property-based attestation (PBA), as described in “Property-based Attestation for Computing Platforms: Caring about properties, not mechanisms” in The 2004 New Security Paradigms Workshop, Virginia Beach, Va., USA, September 2004. ACM SIGSAC, ACM Press. The basic idea here requires a computing entity to attest that it fulfils desired (security) requirements without revealing a respective specific software or/and hardware configuration. One concrete solution for such a PBA is described in “A Protocol for Property-Based Attestation”, Liqun Chen, Rainer Landfernann, Hans Loehr, Markus Rohe, Ahmad-Reza Sadeghi, and Christian Stüble, the proceedings of the First ACM Workshop on Scalable Trusted Computing (STC'06), the ACM Press, 2006. The proposal provides a PBA protocol within an abstract model for the main functionalities provided by TCG-compliant computing entities. The protocol requires an off-line trusted third party (TTP) to publish a list of trusted configurations and respective certificates to attest that the configurations provide a specific property or properties. A first computing entity (a “prover”) can use the signed configurations and certificates to prove to a second computing entity (a “verifier”) that it has appropriate properties, without disclosing those properties.
Aspects and embodiments of the present invention aim to provide an alternative form of PBA.